Re: regarding the critical DNS protocol vulnerability

[Dick Jacobson <Dick.Jacobson () NDUS NODAK EDU>]

On Fri, 11 Jul 2008, Russell Fulton wrote:

> On 11/07/2008, at 4:17 PM, Russ Harvey wrote:
> > Unfortunately the ISC fixes we tried for BIND did not work. We are running
> > 9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We found
> > either exhausted file descriptors, EDNS handling bugs, or just plain poor
> > performance. We are back to 9.4.1-P1.
> >
> > Anyone else having problems with patching BIND for this problem?
>
> we are using RHE 5 and applied their standard updates without problems.  I
> warned our admins about the potential performance issues and they upgraded
> just one of the four to see how it went.  Everything was OK so we upgraded
> the other 3 too.  Typically our servers get around 10,000 queries per
> minute...
>
> Russell

Is that really a fix from Red Hat ?  This is the response I got from one
of or sysads when I asked ...

Red Hat has already released patches to bind that *reduce*
the problem.

The patches apparently just lessen the exposure though, they don't fix it.
To fix it we would need to deploy DNSSEC.


-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer        office : STTC 219
                phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------